Closed Bug 1633538 Opened 3 months ago Closed 3 months ago

Stop stripping referrers of 3rd-party iframes when dFPI is enabled

Categories

(Core :: Privacy: Anti-Tracking, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla77
Tracking Status
firefox77 --- fixed

People

(Reporter: xeonchen, Assigned: xeonchen)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

I don't have an idea how we should handle referrer for dFPI case.
Probably we'd prefer stripping the referrer, but I'd like to hear if baku any steven has any feedback?

Flags: needinfo?(senglehardt)
Flags: needinfo?(amarchesini)

Let's talk about this topic during our weekly meeting.
My point of view is that, yes, we should strip the referrer, but I think we should be in sync with what the privacyGC says.

Flags: needinfo?(amarchesini)

(In reply to Andrea Marchesini [:baku] from comment #3)

Let's talk about this topic during our weekly meeting.
My point of view is that, yes, we should strip the referrer, but I think we should be in sync with what the privacyGC says.

We didn't get a chance to discuss. My general feeling here is that it's clearly a privacy win to strip referrer, and we should do so if we're able to. But it's a separate feature from partitioning, and bundling the two runs the risk of us delaying partitioned storage because of breakage / retention issues that result from referrer stripping. IMO it's better to roll this out as a separate protection measure, so I'm fine with us disabling this now and adding it to the backlog of anti-tracking features while we focus on partitioning.

Flags: needinfo?(senglehardt)

Bug 1589074 is in our backlog and seems like a better path to handling cross-origin referrers than trying to strip them with dfpi.

See Also: → 1633993

(In reply to Steven Englehardt [:englehardt] from comment #5)

Bug 1589074 is in our backlog and seems like a better path to handling cross-origin referrers than trying to strip them with dfpi.

I've filed bug 1633993 as follow-up, but seems bug 1589074 will also fix this issue because the behavior will be the same regardless dfpi is enabled or not. So if bug 1589074 is fixed then we can close bug 1633993 as duplicated.

Assignee: nobody → xeonchen
Status: NEW → ASSIGNED
Priority: -- → P1
Summary: Referrer of 3rd-party iframe is stripped when dFPI is enabled → Stop stripping referrers of 3rd-party iframes when dFPI is enabled
Pushed by xeonchen@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/7e74e5d3c0db
allow referrer for `STATE_COOKIES_PARTITIONED_FOREIGN`; r=baku
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
You need to log in before you can comment on or make changes to this bug.